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Abstract. Formal verification using the model checking paradigm has to deal with two 
aspects: The system models are structured, often as products of components, and the 
specification logic has to be expressive enough to allow the formalization of reachability 
properties. The present paper is a study on what can be achieved for infinite transition sys- 
tems under these premises. As models we consider products of infinite transition systems 
with different synchronization constraints. We introduce finitely synchronized transition 
systems, i.e. product systems which contain only finitely many (parameterized) synchro- 
nized transitions, and show that the decidability of FO(R), first-order logic extended by 
reachability predicates, of the product system can be reduced to the decidability of FO(R) 
of the components. This result is optimal in the following sense: (1) If we allow semifinite 
synchronization, i.e. just in one component infinitely many transitions are synchronized, 
the FO(R)-theory of the product system is in general undecidable. (2) We cannot extend 
the expressive power of the logic under consideration. Already a weak extension of first- 
order logic with transitive closure, where we restrict the transitive closure operators to 
arity one and nesting depth two, is undecidable for an asynchronous (and hence finitely 
synchronized) product, namely for the infinite grid. 



1. Introduction 

In the theory of algorithmic verification, a standard framework for modehng systems 
is given by finite transition systems (often in the form of Kripke structures). Much effort 
is presently spent on extending this framework to cover infinite transition systems, and to 
deal adequately with the internal structure of the systems under consideration, such as their 
composition from several components. The present paper is a study on the scope of algo- 
rithmic model checking over transition systems that are composed from infinite components 
as products with various constraints on the synchronization of their transitions. 

We consider transition graphs in the format G = {V, (-E'a)aes) where V is the set of 
states (or vertices) and Ea ^ V x V the set of a-labeled transitions. The direct product 
of two transition graphs has an a-labeled transition from {p,q) to {p',q') if there are such 
transitions from p to p' and from q to q' . This is the case of complete synchronization. The 
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other extreme is the asynchronous product, where a transition in one component does not 
affect the other components. A main resuh below deals with the "intermediate" case where 
the component graphs are infinite and in each component only finitely many transitions are 
used for synchronization. We call these product structures "finitely synchronized". They 
arise whenever the local computations in the components involve infinite state-spaces but 
synchronization is restricted to a finite number of actions in each component. 

We study the model checking problem for products of transition graphs with respect to 
several logics that are extensions of first-order logic FO. A basic requirement in verification 
is that reachability properties should be expressible. There are numerous ways to extend FO 
by features that allow to express reachability properties. We consider here four extensions 
that cover reachability relations, listed in the order of increasing expressiveness: 

• Reachability logic FO(R), which is obtained from FO-logic by adjoining transitive 
closure operators Reachp over subsets F of edge relations. 

• FO(Reg) as a generalization of FO(R) in which path labels have to match a given 
regular expression. 

• Transitive closure logic over binary relations, which allows to proceed from any 
definable relation (and not just from some edge relations) to its transitive closure. 

• Monadic second-order logic MSO, which results from FO-logic by adjoining variables 
and quantifiers for sets (and in which transitive closure over binary relations can be 
expressed) . 

The purpose of this paper is to analyze for which types of products and for which of 
these logics L the decidability of the model checking problem for a product can be inferred 
from the decidability of the corresponding model checking problem for the components. In 
other words, we analyze for which kinds of products the decidability of the >C-theory of the 
product can be derived from the decidability of the ^-theories of the components. 

Our first result is such a transfer result for the logic FO(R) over finitely synchronized 
products of transition graphs. For this, we use a technique of "composition" which resembles 
the method of Feferman and Vaught |FV59| in first-order model theory (see |CK73) , |Hod93] 
for introductions and [Mak04j for a comprehensive survey). The Feferman- Vaught method 
(applied to FO) allows to determine the FO-theory of a product structure (e.g., a direct 
product) from the FO-theories of the components and some additional information on the 
index structure. Our proof involves a more detailed semantic analysis of the components, 
thereby exploiting the assumption on finite synchronization. The result extends a theorem 
of Rabinovich [RabOTj on propositional modal logic extended by the modality EF over 
asynchronous products. 

We show that our result is optimal in two ways. 

Firstly, the result does not extend to a case where we allow a slight liberalization of the 
constraint on finite synchronization: We consider "semi-finite synchronization" , in which all 
components except one can synchronize via finitely many transitions. In the presence of a 
single component with infinitely many synchronizing transitions we may obtain a structure 
with undecidable FO(R) model checking problem, whereas the problem is decidable for the 
components individually. 

Secondly, we investigate whether the logic FO(R) can be extended in the above men- 
tioned preservation result. For a strong extension like MSO it is clear that decidability of 
the component theories does not carry over to the theory of the product system. As is 
well-known, we may work with the asynchronous product of the successor structure of the 
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natural numbers, which is the infinite {io x a;)-grid. (Note that the asynchronous product 
is finitely synchronized with an empty set of synchronizing transitions.) The grid has an 
undecidable monadic theory, whereas the component structures have decidable monadic 
theories. 

We clarify the situation for weaker extensions of FO(R), namely FO(Reg) and transi- 
tive closure logic. We show that asynchronous products do not preserve the decidability of 
the FO(Reg)-theory. For transitive closure logic this undecidability result can already be 
obtained for a very simple example of an asynchronous product, namely the infinite grid as 
considered above. Moreover, we show that this undecidability phenomenon only appears 
when the TC-operator is nested. For the fragment of transitive closure logic with unnested 
TC-operators interpreted over the infinite grid, we obtain a reduction to Presburger arith- 
metic and hence the decidability of the corresponding theory. 

These undecidability results complement a theorem of Rabinovich [RabOTj where the 
corresponding fact is shown for propositional modal logic extended by the modality EG 
over finite grids. 

In our results the component structures are assumed to have a decidable theory in one 
of the logics considered above. Let us summarize some of the relevant classes and their 
closure properties with respect to synchronization. 

A fundamental result is that pushdown graphs have a decidable monadic second-order 
theory |MS85] . Since then several extensions like prefix recognizable graphs [Cau96j or 
Caucal graphs [Cau02j have been considered, see [Tho03] for an overview. These classes 
form an increasing sequence in this order, and all of them enjoy a decidable MSO-theory. 
None of these classes is closed under asynchronous products. 

Two other classes of infinite graphs we like to mention are the graphs of ground term 
rewriting systems [Col02j for which the FO(R)-theory is decidable, and ground tree rewriting 
systems |Lod02] for which a temporal logic with reachability and recurrence operators is 
decidable. Both classes are closed under asynchronous products. 

Classes which are closed under synchronized products are rational graphs [MorOO] . 
graphs of Thue specifications |PayOO| , or graphs of linear bounded machines |KP99j . How- 
ever for all these classes already the FO-theory is undecidable and hence they are not 
suitable for model checking purposes. 

The paper is organized as follows. In Section 2 we give the definition of a synchronized 
product of a family of graphs or transition systems, recall the definition of transitive closure 
logic, and define FO(R) and FO(Reg). 

In Section 3 we show the composition theorem for finitely synchronized products and 
reachability logic and prove that this result cannot be extended to FO(Reg) or semifinite 
synchronization in general. 

In Section 4 we investigate transitive closure logic over the infinite grid. We show that 
if we allow transitive closure operators of arity one without parameters but of nesting depth 
two the theory of the grid is undecidable. On the other hand we show that if no nesting of 
transitive closure operators is allowed, the respective theory is decidable even in presence 
of parameters in the scope of the transitive closure operators. 
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2. Preliminaries 

Let (yi)i<i<n be a family of sets. We denote by Xi<j<„yj the Cartesian product of 
these sets. Tuples (ui, . . . , u„) G Xi<j<„yj are usually denoted by v, and the ith component 
of V as Vi . 

Let S be a finite set of labels. A transition system is a S-labeled directed graph 
G = (y'^, where V'^ is the set of vertices of G and C V'^ x V'^ denotes the 

set of a-labeled edges in G. 

2.1. Synchronized Products. For 1 < i < n let Gj := (V^, (E'* )agEj be a Sj-labeled 
graph. We assume that Sj is partitioned into a set S- of local labels (or actions) and a 
set of synchronizing labels, and to avoid notational complication we require the sets of 
local labels to be pairwise disjoint. An asynchronous transition labeled by a G is applied 
only in the i-th component of a state (fi, . . . of the product graph while the other 
components stay fixed. For synchronizing transitions we distinguish explicitly between the 
components where a joint change of states is issued and the components where the state 
does not change. To describe the latter, define E\ := {{v,v) \ v G Vi} and T,f := E|U{e}. A 
synchronization constraint is a set G C Xi<j<„E|. If c G C, a c-labeled transtition induces 
a simultaneous change in the components i where Ci ^ e while the states do not change in 
the other components. 

Formally, the synchronized product of (Gj)i<j<„ defined by G is the graph G with vertex 
set V := Xi<j<„Fi, asynchronous transitions with labels a G Ui<i<n defined by E^vw if 
El^ViWi and vj = Wj for j ^ i, and synchronized transitions with labels c G G defined by 
E^vw if El.ViWi for every I < i < n. We denote the set of local transitions labels IJi<i<n 
of G by S', and the set C U S' of all transition labels by S. A product is asynchronous if 
C = 0. 

Note that we slightly deviate from the definition in |Arn94j since we require the sets of 
local labels and synchronizing labels to be disjoint, and implicitly assume an asynchronous 
behavior of local transitions. 

Let (Gi) i<i<n be a family of graphs and G C Xi<j<^S| be a synchronization constraint. 
For c G C let := {i | Q / e}. For C" C C we write Xc = UgeC ^c- Define 

i.e. u ~c if u and v agree on the synchronizing components. The synchronized product 
G of {Gi)i<i<n defined by G is called finitely synchronized if index(~g), i.e. the number of 
equivalence classes of ~c) is finite for every c G C In the conference version |WT04j of this 
paper, finitely synchronized products involve only finitely many individual synchronizing 
transitions, thus disallowing the label e in the synchronization constraint. In the present 
treatment we allow finitely many parametrized synchronized transitions: The inclusion 
of constraints c with Ci = e means that in the i-th component the transition c applies to 
arbitrary states of Vi and hence possibly infinitely many individual synchronizing transitions 
may be present in a finitely synchronized productQ. 



Thus, the proof of Theorem 13.11 below involves more technicalities than the corresponding proof in 
[WT04] . 
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We collect some technical preparations in the subsequent Lemma [2.1[ For this we define 
for every 7^ C" C C the eqivalence relation 

u V u V for every c & C' 

and restrict the relation r^c' to the set of vertices of the synchronized product from which 
an outgoing transition exists for every c G C, i.e. to the set 

Vc ■= {u G Xi<j<„Vi, I Vc G C' 3v such that {u,v) G Ec}- 

Lemma 2.1. Let (G'i)i<i<n be a family of graphs and C Q Xi<j<„S| be a synchronization 
constraint. 

(a) If G is finitely synchronized, then index(~(7/) is finite for every (}> ^ C Q C . 

(b) For every subset 7^ C" C C, if u ~c" 'v and G \= Reachj^iu(7/[n, there exists a w' 
such that G \= Reach^iyc*/ [t', ti^'] and w ^c' 

(c) Let r C U C. // G 1= Reachr[n,f], G |= Reachr[v, tt;] and u V then G \= 
Reachr[u, If] and the path from u to w can be chosen such that no intermediate vertex 
is r-^c'-^Quivalent to u. 

Proof, (a) If G is finitely synchronized, then index(~c) is finite for every c G C. If C" C 
C" C C then C" refines G' on Vc ^ Vqi. Therefore, for every G' G the number of 
equivalence classes of ~c' is bounded by Xcgc" index(~c)- 

(c) is a direct consequence of (b) which remains to be shown. Let u ^c' v and 
G \= Reachr[ti, tf]. Since transitions labeled with symbols from IJi^x,-,/ commute with 
transitions labeled by symbols from Uiex^/ ^ ^' may w.l.o.g. assume that the path 
from n to is of the form 

U = Ui > Ui > . . . > Um = y-i > U2 — ^ • • • — ''^ 

and flj G [Ji^Xf^, for 1 < j < m and bj G Uiex^/ ^ ^' ^^"^ 1 < i < Hence by 
definition of ^c' we have n[Xc/] = u'^[Xc'] = v[Xci]. Thus there is a path v' = vi ^ 
V2 . . . " Vn = w' m. G and w ^c' w' . □ 

2.2. First-Order Logic and Extensions. We assume that the reader is familiar with 
first-order logic FO over graphs. We denote formulas by <y9(xi, . . . to express that the 
free variables of ip are among xi, . . . If G is a graph and wi, . . . ,f„ are the vertices 
assigned to the variables xi, . . . , x„, we denote by (G, wi, . . . , f„) |= Lp{xi, . . . , Xn) or shortly 
by G 1= . . . , f„] that the formula 93 is satisfied in G under the respective variable 

assignment. 

Transitive closure logic FO(TC) is defined by extending FO with formulas of the type 

■0 := [TCs,y^{x,y,z)] s,t 

where ip{x,y,z) is a FO(TC)-formula, x,y are disjoint tuples of free variables of the same 
length k > 0, s,t are tuples of variables of length k and free(^) := (free((/?) \ {x,y}) U {s, i}. 
Note that in the notation [TCx,y ip{x,y, z)] x,y the variables inside the square brackets are 
bound while the variables at the end of the formula occur free. 

Let G be a graph, let c, d, and e be the interpretations of the variables z, s, and i in 
if. Let E be the relation on /c-tuples defined by E{c) := {{a,b) \ {G,a,b,c) \= ip{x,y,z)}, 
and E'{c) be its transitive closure, i.e. (a, b) G E'{c) iff there exists a sequence /o, /i, . . . , // 
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such that /o = a, € E{c) for 1 < z < and fi = b. The semantics of the 

FO(TC)-formula above is defined by 

(G, c, J, e) h [TC5;,5 V'l^' ^)] e) e ^'(c). 

We call the variables z parameters for the transitive closure operator. By FO(TC)^^,^ 
be denote the fragment of FO(TC) where the transitive closure operation is only allowed to 
define relations over tuples of length < k, i.e. the length of the tuples x, y in the definition 
above is bounded by k. For example, in FO(TC)^-^^ we can only define binary relations 
using a transitive closure operator. For finite models the arity hierarchy (FO(TC)^^^)fc>o is 
strict |Gro96j . 

By FO(TC)^(;j,) we denote the fragment of FO(TC)(^) where the nesting depth of tran- 
sitive closure operations is bounded by /. 

In transitive closure logic we can express that from a vertex x a vertex y is reachable 
via a path with labels from some set S' C S by 

Reachs'(x,?/) := TC^^^^ (x = y V \f Eaxy) 

We call the restriction of FO(TC) where the only transitive closure formulas allowed 
are of the form Reachx;'(x,y) for S' C S reachability logic and denote it by FO(R). 

The expressive power of the reachability predicates in FO(R) is limited, e.g. we cannot 
express that there is a path between vertex v and w in the graph whose labels form a word 
in a given regular language. 

We denote by FO(Reg) first-oder logic extended by reachability predicates Reachr(x, y) 
for regular expressions r over S, where G |= Reachj.[iJ, u)] if there is a path in G from v to 
w labeled by a word contained in the language described by r. 



x,y. 



3. Synchronization and F0(R) 

In this section we show that synchronization preserves the decidability of the FO(R)- 
theory if (and only if) the product is finitely synchronized. For this case we prove a com- 
position theorem that reduces the evaluation of a formula in the product graph to the 
evaluation of several formulas in the component graphs and a Boolean combination of these 
truth values. This result does not extend to the case of FO(Reg). 

Furthermore we show that semifinite synchronization of two components, where in just 
one of the components infinitely many edges are allowed to be synchronized, does in general 
not preserve the decidability of the FO(R)-theory. 

Theorem 3.1. Let G be a finitely synchronized product of a family (Gj)i<j<„ of graphs 
with decidable FO(R) -theories. Then the FO(R)-theory of G is also decidable, and for an 
FO(R)-formula we can effectively construct sets of formulas and a Boolean formula a 
such that G \= (p iff a is true under an Boolean interpretation defined by the truth values of 
the formulas in ^'j. 

Proof. Let (Gi)i<i<„ be a family of graphs whose signatures Sj := U S| are partitioned 
into local and synchronizing labels. Let C C Xi<j<„S| be a synchronization constraint such 
that the product G of (Gi)i<j<„ is finitely synchronized with respect to G. 
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We show by induction that for every FO(R)-formula over S there are finite sets of 

Sj-formulas and a Boolean formula a over predicates Pi{ipj) (1 < ^ < 1 < i < such 
that 

{G,Vi,... Vm) h ifixi, ... , Xm) <^ I{vi, • • • , "Um) N " (3-1) 

where I{vi, . . . , Vm) is the Boolean interpretation defined by 



I{vi, . . . ,Vm){pi{i^j)) 



true if ^ V'j 

false otherwise. 



We start with the atomic formulas. For x = y let ipi := (x = y), for EaXy with a G let 
ipi := EaXy and if^j := {x = y) for i ^ j, and for E^xy with c G C let V'j := Ec^xy. For every 
formula above let a := Ai<j<n?'«(^«)- Obviously (|3.ip holds in all cases, so the remaining 
"atomic" formulas we have to take care of are of the form Reachr(x,y) for F C S. 

For this part of the proof we proceed by induction on the number of synchronizing 
transitions from C which appear in F. We may assume that F comprises all local transition 
labels, i.e. that C F; otherwise in the following every occurrence of T,[ has to be replaced 
by U F. 

We first consider the case that there is only a single synchronizing transition c S F. 
By the definition of finitely synchronized product we know that index(~c) is finite, and by 
Lemma 12.11 (c) that we have to pass through every equivalence class at most once. Let 
k = index(~c). For i E Xc and 1 < m < k define 



'^lc,m) y) ■=^zi... 3zm Reach^i {x,zi) Ay = Zm 

A 3w [Ec^ ZiW a Reachj^i {w, Zj+i ) 

l<i<m 

which expresses that on a path from x to y in component i exactly m vertices zi, . . . ,Zm 
are passed from which a synchronized transition is possible. For i ^ we set 

i^kmix, y) ■■= Reach^i (x, y) 
and define ^'i(c) := {V'(cm)(^'y) I 1 < "t- ^ k}. Setting 

l<m<k l<i<n 

ensures (jS.ip for sets F which contain at most one synchronizing edge label c. 

Let now C = C DT . By the induction hypothesis we may assume that for every subset 
C" C C there are families of formulas ^i{C") := {^"((7/' m)('^'2^) I ^ — "^(C"')} Boolean 
formulas a{C") such that (|3.ip holds, i.e. 

G ^ Reach^^us' [v, w] ^ I{v, w) ^ a{C"). (3.2) 

Let k := index(~(7/) and / := '^c"cC' iiidex(~c'"), for 1 < r < A; let ai be a mapping o"i : 
{1, . . . , r} ^ {1, . . . , /} and erg a mapping ^2 : {1, ...,/} ^ {(C", s) \ C" C G' , s < m{C")}. 
The number of vertices in Vc which are passed on the path from vertex n to ?D is r. The 
mapping ai then determines the number of ~c" equivalence classes which are passed on 
the path between consecutive vertices in Vc and 02 determines the order in which vertices 
from i^c" eqivalence classes appear. 



8 



S. WOHRLE AND W. THOMAS 



Let vTi, . . . , TTt be an enumeration of all mappings which can be obtained by composing 
the mappings o"i and a2- We define for t' < t, vtj/ := a2 o ai with aj as above and 1 < i < Ti- 
the formula 

^lc',t')(^^ y) := 3yi . . . yi = x A y,- = y 

^ Al<p<r (3^1 • • • Za^ip) {zi =ypA Z^^^p) = yp+i 

The Boolean formula a{C') is then defined to be 

l<t'<t l<i<n 

We claim now that for every C Q C 

G ^ Reachs^uc'I^^'^'] ^ Hu,v) [= a{C'). (3.3) 

We first consider the direction from right to left. Let I{u, v) \= a{C'). The case C = {c} 
has already been dealt with above. So assume that (jS.Sh holds for every C" C C . Then 
I{u,v) \= Ai<i<nP(V'c' t') some t', i.e there exits an r and mappings cJi : {1, . . . , r} — > 
{!,...,;} and : {1, ..'.,/} ^ {iC",s) \ C" cC, s< m{C")} such that for 1 < i < n 

{G,Ui,Vi) \=3yi. . .yr yi = xAyr = y 

^ Ai<p<r (3^1 • • • V(p) {zi =ypf\ z^^^p) = yp+i 

If we denote the the valuation of the variables zj (respectively yj) in Gi which make the 
formula above true by Zj (respectively and their n-tuple by zj (respectively yj) we obtain 
that I{zj,Zj^i) \= a{a2{q)i) for 1 < j < cri{p) (here (T2(g)i denotes the first component of 
a2{q)). Hence G \= Reachs!ua2(g)i [zj, zj+i] for 1 < j < ai{p) and since Ui<g<ai(p) ^2(9)1 ^ 
C also G \= Reach^iyc fe; yj+i] for 1 < j <r. Hence we obtain G \= Reach.-^i^jQ,[u,v]. 

For the direction from left to right suppose that G \= Reach^^iyj^/ [n, u]. By Lemma |2. II 
(c) we know that there is a path from -u to "u in G which passes every r^c' equivalence class 
ot most once. Let yi, . . . ,yr he the sequence of these vertices from Vc on the path. We now 
consider for 1 < j < r the path segments between yj and yj+i- Every such path segment 
can be further decomposed in the following way: Let zi be the first vertex in the segment 
which is contained in some Vc for ^ C" C C". If there is no such zi only local labels can 
appear on the path from yj to yj+i- In this case choose zi := yj+i- 

Then we choose Z2 to be the last vertex on the path from yj to yj+i such that G \= 
Reachj^iyf;/, [zi, Z2], i.e. Z2 G Vc" for some C'" C C' with C'" \ C" ^ 0. This decomposition 
can be continued until yj+i is reached. 

Figure [1] shows such a decomposition of a path from u to v. Every path segment from 
yj to yj+i is again partintioned as shown. For sake of readability we mention only the set 
of synchronizing labels allowed on the intermediate paths and write C' for C" U S'. 

By Lemma 12.11 (c) we again know that the number of intermediate vertices z can be 
bounded by I := '^c"cC' iiidex(~c'//). By the induction hypothesis on subsets G" C G' we 
know that for every pair of successive vertices Zj, Zj^i with Zj € Vc there exists a conjunct 
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zq = ys 



Figure 1: Sample decomposition of a path 

of a{C"), i.e. some s such that 

G ^ Reachc„usi %+i] %+i) N A P(^ic",s))- 

l<i<n 

In particular we have Gj |= ^((^// "^i+i] ^"-"^ every 1 < i < n and all inermediate vertices 

Zj. 

Combining these decomposition results we obtain that there exists some r bounded 
by index(~c'/) (the number of vertices y), a function ai : {!,..., r} — > {!,...,/} which 
determines the number of intermediate vertices z between the y vertices, and a function 
(72 : {!,...,/} {(C",s) I C" C C", s < m{C")} which determines to which Vc an 
intermediate vertex Zj belongs and which conjunct of a{C") is satisfied by the interpretation 
induced by Zj and Thus we obtain that Gi \= ip^^i^, ^^[ui,Vi] for 1 < i < n and some s 

an hence I{u,v) \= a(C"). 

The finishes the proof for atomic formulas. Formulas composed by Boolean connectives 
and existential quantification are now easy to handle. 

The case of Boolean connectives may be solved in the standard way. Let ipi{x) and ^2{y) 
be FO(R)-formulas and ai, {^\)i<i<n as well as 02, {^1)i<i<n be given by the induction 
hypothesis. Then, for ^ipiix) we can choose the same {^\)i<i<n and the Boolean formula 
to be -lai, and for <fi{x) V v'2(y) we choose ^'j := U and a = ai V Q2. 

To finish the proof let ^p{xi, . . . , x„) := 3x„+i(/3i(a;i, . . . , Xn+i)- Let and ai be the 
formulas computed for ipi{xi, . . . , Let Z be the set of all satisfying assignments for 

«!• For every I & I let li := {j \ I (pi) = true}. Then sets for 1 < i < n are constructed 
by adding for every I ^ Z the formula 

:=3xn+i(^ /\ ^^l)- 

Then we can define a := V/ex Ai<j<n?'(^i^)- D 

For a complexity analysis of this algorithm, note that even in the special case in which 
the synchronization constraint does not contain e, the number of formulas which have to be 
evaluated in the components cannot be bounded by an elementary function. This is due to 
the exponential increase of the sets which result from dealing with existential quantifiers. 

It is easy to see that Theorem 13 . 1 1 also covers FO(Reg)-formulas with regular expressions 
built from FT for Fj C S using • and +. However, if we allow reachability predicates with 
regular expressions of the form (Fi • F2)* the decidability of the corresponding theory will 
be lost. 

Theorem 3.2. Asynchronous products do not preserve the decidability of the FO(Reg)- 
theory. 
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Proof. We use a 2-PDA A (pushdown automaton with two stacks) that simulates a universal 
Turing machine (cf. [HU79]). Formally a 2-PDA is a tuple A = (Q, S, F, go, A, /) where 
Q is a finite set of states, S and T the input alphabet, respectively stack alphabet, qq is 
the initial state, / is the final state, and ACQxSx(ru {e})^ x (F U {e})^ x Q the 
transition relation. The configuration with state p and stack contents u, v (discarding the 
stack bottom symbols) is denoted by {p, u, v) (similarly a pair (p, u) is a configuration of a 
standard PDA). We assume that Turing machines (as well as 2-PDA's) are normalized, i.e. 
that each state is reachable from the initial state qq, the only sink state is the final state / 
and there are no incoming transitions to qq. 

Input words for the universal 2-PDA A are of the form wi$W2i^ where wi is the code 
of a Turing machine and W2 an input word for the Turing machine. We assume that A 
processes such an input word in two phases: First wi$W2i^ is written into the first stack (in 
reverse order) and then transferred into the second stack (with the first letter of wi on top 
of the stack). With this configuration the second phase starts (and we call its initial state 
Qq), realizing the actual simulation of the universal Turing machine. It is well-known that 
the reachability problem for A ("Given wi$W2i^ as input, does A reach the final state?") 
is undecidable. 

To reduce this reachability problem for A to the model checking problem for FO(Reg) 
over an asynchronous product of graphs with decidable FO(Reg)-theory, we split A into 
two component pushdown automata 

Ai = (Q,S X A,F,(7o,Ai,/) 

A2 = (Q,S X A,F,go,A2,/) 

where for every 5 = ((7, a, 71, 72, 73, 74;P) £ A the following transitions are included: 

{q, (a, (5), 71, 73, p) to Ai, 

(q, (a,^),72,74,p) to A2. 

Each of the graphs generated by Ai and A2 has a decidable MSO-theory and therefore 
also a decidable FO(Reg)-theory. Let B their asynchronous product. 
Let r be the regular expression 

r=[\J{a,6){a,6)y 

which states that a transition of Ai is followed by the corresponding transition of A2 ■ 
We obtain that 

B \= ReacK{x, y)[{{q,u), {q,v)), {{q' ,u'), {q",v'))] 

iff q' = q" and A can reach from configuration (q,u,v) the configuration (q',u',v'). 

It is now easy to construct for every word wi$'W2# a first-order formula ip^^^^^^{x , y) 
such that 

S N fwi$w2#ix^y)[iiQo,£),iQo,£)),{iq,ui),{Q,U2))] 
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iff ui = e, U2 = tyi$W2# and q = Qq. Then we obtain that 

B \= 3zi3z23z3(^(p^^$^,^#{{{qo,e),{qo,e)),zi) A Reach,.(zi, Z2) 

A V {E(^a,5)Z2Z3AE^^s)Z3{{f,u),{f,v)))^ 

<5eA 

iff A reaches a halting configuration after processing wi%W2H^- Note that since A is normal- 
ized we can ensure that the initial configuration {{qQ,e), ('ZO)^)) and all final configurations 
{{f,u), {f,v)) are first-order definable. □ 

We now turn to the proof that semifinite synchronization in general does not preserve 
the decidability of the FO(R)-theory. We reduce the halting problem of deterministic Turing 
machines to the model checking problem for FO(R) for synchronized products of finite 
graphs and infinite graphs which are generated by ground tree rewriting systems (GTRS). 
The GTRS graphs we will construct are of finite out-degree and hence have a decidable 
FO(R)-theory |Lod02llLod03] . 

The GTRS graph will encode computations of the Turing machine M, but not all of 
them are valid. We will use the synchronization with a finite graph to eliminate computa- 
tions which are not valid. 

Our construction of the GTRS graph encoding computations of M follows ideas of 
|Lod03j . Before we start the proof we give a short definition of the Turing machine model 
we use and of ground tree rewriting systems. For a more detailed description we refer to 
|HU79j and |Lod03| . 

A deterministic Turing machine is a tuple M = (Q, T,qQ,qf,6) where Q is a finite set of 
states, r is an alphabet containing a designated blank symbol ^ , go is the initial state, qf is 
the halting state, and 6 : Q xT ^ Q xT x {L, R} is the transition function. A configuration 
of M is a sequence ai, . . . ak, q,bi,bi^i . . . bi where ai,bi G T, q G Q and 6/ denotes the 
symbol currently read by the head of the machine. We consider two configurations to be 
equivalent if they differ only in heading or trailing blank symbols, and do not distinguish 
between equivalent configurations. 

A ground tree rewriting system is a tuple TZ = {A, S, R, to) where ^ is a ranked alphabet, 
S is a set of labels for the rules, i? is a finite set of rules, and to is a finite tree over A. We 

denote the set of all finite trees over A by T^. A rewriting rule r is of the form t ^ t' with 
t,t' & Ta and 6 E S. A rule r is applicable to a tree s if there is a subtree si of s equal to 
t, and the result of an application of r to s is a tree s' obtained from s by replacing si with 
t'. TZ generates a S-labeled graph whose vertices are the trees that can be obtained from 
to by applying rewriting rules from R, with a 6-labeled edge between s and s' if s' results 

from s by an application of a rule of the form t t' R. 

Theorem 3.3. Semifinite synchronization does not preserve the decidability of the FO(R)- 
theory. 
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Proof. Let M = (Q, T, qo, qf, 5) be a deterministic Turing machine. We assume that go 7^ qf, 
Q nr = $, X ^ Qur and encode a configuration ai, . . . , ak, q, 6;, 6;_i, ... 61 of M by a tree 



X 


1 


1 

ai 










1 

q 



Every transition of the Turing machine will be simulated by the rewriting system in two 
steps, by first rewriting the right branch of the configuration tree, and then rewriting the 
left branch. The labels of the rewriting rules will indicate which letter from T has to be 
added (+) or removed (— ) from the left branch of the configuration tree, and T respectively 
_L indicate whether the halting state has been reached or not. 

More precisely wc define a GTRS TZ = {A,E,R,to) where A2 = {•}, Ai = T U {X}, 
Ao = ^1 U Q, E = {+, -} X (r U r) X {_L, T} and 

to-- X X . 

qo 

The set R is defined by adding for 6{q, b) = (p, c, L) and every a G F the rules 

c c 
b (-,«,*) ' X (-,«,*) I . 
I > CL and I > o- 11 = ^, 

q ' q ' 

p p 

and for S{q, h) = {p, c, R) and every a G F the rules 

a 

I (+,c,*) a X (+,c,*) X 

* I and I > I it = ^ 

1 P q p 

q 

where * = T if p = qf and * = ± otherwise. Note that these rules can only be applied to 
the right branch of a configuration tree. For the left branch we add for every a, c G F and 
* G {_L, T} the rules 

a ^ £ and X > X 11 a = ^, 

as well as 

(+,c,*) a 

a ^ I 

c 



and 



„ (+,c,*) X , , (+,C,*) 

X ^ I it c 7^ ^ and X ^ A if c : 

c 



By construction, a path through the graph G generated by TZ corresponds to a valid com- 
putation of M started on the empty tape iff every transition with label (+,a, *) respec- 
tively ( — ,0,,*) is followed by its counterpart labeled (+,0,,*) respectively (— ,a, *). Let 
H be the star graph with |S| + 1 many vertices where the center vertex v has for every 
($, a, *) G — } X F X {_L, T} a single outgoing edge with this label to a vertex w and the 
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single corresponding incoming edge from w labeled ($, a, *). If we define the synchronization 
constraint C := {{a, a) \ a E S}, the synchronized product of G and H will contain exactly 
the valid computations of M. To decide whether M halts on the empty tape we thus have 
to check the truth of the formula 

o-es o-G{+,-}xrx{T} 
in the semifinitely synchronized product of G and H. □ 



4. Transitive Closure Logic over the Infinite Grid 

The infinite grid is the structure Q = (w^,5i,52) with two successor relations Si and 
82- It can be viewed as the asynchronous and hence finitely synchronized product of two 
copies of the natural numbers with successor relation, J\f\ = {uj,Si) and A/2 = {uj,S2), 
defined by the empty synchronization constraint. 

We show in this section how to interpret the first-order theory of addition and multi- 
plication of the natural numbers in FO(TC)^^^ (without parameters) over the infinite grid. 

FO(TC)^-i^-| allows only transitive closure operators of arity one and a nesting depth of two. 

It is well known that the FO-theory of addition and multiplication of J\f is undecidable. 
However, since FO(TC)(i) can be interpreted in MSO, FO(TC)(i) is decidable over J\f. 
Prom these results we can conclude that the FO(TC)^^^ -theory is not preserved by finitely 
synchronized products and thus obtain that we cannot extend FO(R) much without losing 
decidability for finitely synchronized products. 

To interpret the theory of addition and multiplication in FO(TC)^^^ over the infinite 
grid we first connect the transitive closure theories of J\f and Q. 

Lemma 4.1. Let k > 1. 

(a) For every FO(TC)^^y sentence ip there is a FO(T(7j"2fe)"'*c'^^cnce (p such that G \= <p <^ 

(h) For every FO(T(7j^2jk) -sentence (p> there is a FO(TCjQ^y sentence (p such that H \= ^ ^ 

Proof. For (a) there is almost nothing to show. It suffices to split every variable x (inter- 
preted as vertex of the grid) into coordinate variables xi and X2 (interpreted as natural 
numbers) and to replace the atomic formulas Sixy by Sxiyi and S2xy by Sx2y2- 

For (b) we identify every a; € w with (a;,0) G u^. To reduce the number of variables 
needed in a TC operator we represent a pair of variables x\ , a;2 by a single variable x = 
{xi,X2) to be interpreted as a vertex of the grid. 

To finish the proof it suffices to show that the following operations are FO(TC)(]^^ 
definable: 

(i) TTi with 7ri((xi,a;2)) := ixi,0) and 7r2((xi,X2)) := (0,0:2), 

(ii) swapj with swapi((x,0)) := {0,x) and swap2((0, x)) := (x,0), 

(iii) comb with comb((x,0), (0, y)) := {x,y) 

Then a F0(TC)(2jt) formula [TC^^j^ (p{x, y, z)]x, y is equivalent to the FO(TC)(j^.) formula 
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3uv\^ /\ {ui = comb(x2i-i,swap2(x2i)) A = comb(y2i-i, swap2(2/2i))) 

l<i<A: 

A [TCu,v'f{u,v,z)]u,v 

where 

(f:=3xy(^ /\ (x2i-i = 7ri(tii) A 3;2i = swap2(7r2(ui)) A y2i-i = vri(vi) 

l<i<k 

A y2i = swap2(vr2(i;i))) A 

and in ip every occurrence of the symbol S is replaced by ^i. 
Let us now define the operations above: 

7ri(x) = y ^ y <2 X f\ \lz{z <2 x z = y) 
swapx(x) = y ^ \/z{z <2 x ^ z = x) A [TC^^^ 3z{Sixz A S2yz)]x, y 
AV2;(z <iy ^ z = y) 
comb(x, y) = z <-> Vn(ii <2 x ^ ti = x) A Vti(n <i y ^ u = y) 
Ax <i z Ay <2 z 

Observe that if the formula ip has no TC operators with parameters, then neither ip nor 
(p has (in (p only TC-formulas without parameters are introduced), and that the nesting 
depth is not increased. □ 

Let us now turn to the undecidability proof. 

Theorem 4.2. The FO(TC)'^^y theory of the infinite grid is undecidable. 

Proof. We define addition and multiplication in FO(TC)^^^ over Q without the use of pa- 
rameters. By Lemma |4. II it is enough to define these operations in F0(TC)^2) o^^r TV. The 
definition of addition is straightforward. 

a + b = M ^ [TCr,^^2,yiy2 Sxiyi A Sx2y2]0a,bc 

To define multiplication note that x ■ y = ^ ^ — IL^ hence it suffices to define the 

square function. To define note that x^ = Yli=o 2i + 1. The formula 

ip{x, y) = [TC^,^2,yiy2 y2 = X2 + (x2 - xi) + 2 A yi = X2]0 1, xy 
defines all pairs of square numbers 

k-2 k-l 

( ^ 2i + 1, ^ 2i + l) for A; > 3. 

i=l i=l 

Hence M \= ■(/'[a, h] iff 6 — a = 2fc — 1 for some k >2. Let 

X(x, y) = 3zi (4^{zi,y) A = . 

ThenA/'^x[a,6] iff 6 = a2. □ 
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A similar technique was used in [Avr03| to define multipHcation in (ti;,+,0) using a 
transitive closure operator of arity one. 

The nesting of transitive closure operators in the previous proof is necessary. If we 
disallow nesting, even in the presence of parameters in the transitive closure formulas, the 
theory of the infinite grid is decidable. 

Theorem 4.3. The FO(TC)\^ytheory of the infinite grid is decidable. 

Proof. We reduce the FO(TC)|^^^-theory of the infinite grid Q to Presburger arithmetic, the 
first-order theory of A/^ = (tiJ,-|-,0), in the following sense: For every FO(TC)(i)-formula 
^p{xi, . . . , Xn) one can construct a Presburger formula (^(xn, X12, . . . , Xni,Xn2) such that 

g ^ (p[{ki,h),... ,{kn,ln)] ^^f+h 'f[kl,h,...,kn,ln]- (4.1) 

In order to construct (f it suffices to consider the case 

. . .,Xn)]xi,X2, 

or for better readability 

ip{xi, ...,Xn) = [TCx,y 1p{x, y,X3,..., Xn)]xi,X2 

where ip is a first-order formula. The second notation emphasizes that X3, . . . ,Xn serve as 
parameters in the transitive closure formula. 

In a first step we rewrite ^ in a normal form, applying Hanf's Theorem for first-order 
logic over graphs (see |Han651 [EF951 ITho97] ). 

For this purpose we recall some definitions. The r-sphere r-sph(d) around a vertex 
d € o;^ is the set of grid vertices which are of distance less or equal to r from d, where 
we allow to traverse the edges in either direction. Invoking the distributive normal form 
and Hanf's Theorem, there exists a suitable r > such that ip{xi, . . . is equivalent to 
a disjunction of formulas (pr{xi, . . . ,Xn) where each describes the isomorphism type r 
of IJi<i<n ''-sph(ci) for some tuple ci, . . . , of grid vertices. Let T be the set of all such 
types. Since T is finite it suffices to consider only finitely many tuples ci, . . . , c^. 

Remark. In the general case, over an arbitrary graph instead of the infinite grid, Hanf's 
Theorem involves a statement on the number (up to a certain threshold) of spheres outside 
|J]^<j<„ r-sph(cj). This statement is superfiuous here due to the regular structure of the 
infinite grid. (For technical convenience we assume that (0, 0) is included in the set of 
parameters, so every isomorphism type realizable in Q outside Ui<i<ra ^"^P^('^«) occurs an 
infinite number of times.) 

Due to the special structure of the grid, which we depict as a diagram with the bottom 
row and left column as margins, open upwards and to the right, every formula (frixi, . . . , x„) 
can be expressed by conditions on the vertices xi, . . . ,Xn which fix their distances up to the 
radius r from the left margin as well as the bottom margin, and their relative distances up 
to 2r. 

It is convenient to express (prixi, . . . , Xn) in terms of the 2n components of the vertices, 
obtaining a formula ipr{xii,xi2, ■ . . ,Xni,Xn2) The formula (pr is interpreted over lo and 
equivalent to (p in the sense of (14. ip above. It is a conjunction of statements 

• Xih = k for < k < r or Xih > r 

• {xii,Xi2) = {xji,Xj2) + {k,l) for -2r < k,l <2r 

• dist{{xii,Xi2),{xji,Xj2)) > 2r 
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where 1 < i, j < n and h S {1,2}. 

We now have to evaluate formulas of the form 



! ^nl , Xii2 ) 



{s,t), {u,v) 



(4.2) 



for some T' CT. 

In a first step we note that it is possible to add disjuncts to ()4.2p such that vertices tied 
to occur in a 2r-sphere around a parameter {xii,Xi2) for i > 2 only need to appear as start 
vertex or as end vertex of any path described by (j4.2p . Hence vertices tied to parameters 
can be handled without the use of TC, by an appropriate modification of the formula. 

Let / be an initial segment of the grid encompassing the 2r-spheres around parameters 
{xii,Xi2) for i > 2. Outside this initial segment, in a second step, it suffices to consider 
formulas ()4.2p in which only type formulas ipr which contain 



and 



and 



2^11 = ki A xi2 > r or xu > r A xu = k2 or xn > r A Xi2 > r ioi ki,k2 < r 



X21 = h A X22 > r or X21 > r A X22 = h or X21 > r A X22 > r ioi < r 



dist((xii, X12), (x2i,X22)) > 2r or (xii,xi2) = (x2i,X22) + (^,0 foi' - 2r < k,l < 2r 
appear. 

It is now possible to apply a finite saturation process to obtain a formula 

TC(a;n,xi2),(x2i,X22) V ^ji^lli^l2,- ■ ■ ,Xnl,Xn2) {S,t),{u,v) (4.3) 
l<j<m 

which is equivalent to ()4.2|] and where TC and V commute, i.e. 

l<j<m 

i,a;i2),{a;2i,X22) 

l<j<m 

The subformulas (pj in (j4.3p have the same format as the subformulas (p-j- in (j4.2p except 
that the center of the excluded 2r-sphere around (xii,xi2) may be shifted by a bounded 
distance from (xn, X12) or be missing, or defines the complete relation outside / and the 
border stripes of width r. Thus it remains to consider two cases. 

Case 1. If (pj contains a conjunct excluding some 2r-sphere then the relation defined by 
[TC(^^j 3,^2) (3,2^^2^22) (^)^) is cofinite (w.r.t. the grid excluding / and border stripes 

of width r, or a fixed line in one of the border stripes) and hence definable without the use 
of a transitive closure operator. 
Case 2. If (pj fixes relations of the form 

(x2i, X22) = (2:11, X12) + {ki,li) (4.4) 

for i = \, . . . ,N and — 2r < ki,li < 2r. the formula 
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expresses that there is a path from (s, t) to {u, v) consisting of steps of the form (14. 3p . The 
set of vertices (u, v) reachable in this way from (s, t) can be represented as the union of 
paths in the finite initial segment I of the grid and finitely many sets of the form 

{(n, v) I (n, v) = {s, t') + yi{ki,li) + . . . + yNikN,lN)}- 

Here Ui > 0, the {s',t') range over boundary vertices of /, and the {ki,li) are from (j4.4p . It 
follows that the relation defined by ()4.2p is definable in Presburger arithmetic. □ 

5. Conclusion 

We have proved a result on compositional model checking for a logic including reacha- 
bility predicates, and we have shown tight limitations for possible extensions of this result. 
Let us mention some questions left open in this paper: 

(1) The composition result (Theorem 3.1) should be generalized to infinite products. 

(2) For an extension of Theorem 3.1, one can enrich FO(R) by an operator for "recurrent 
reachability" (existence of an infinite path which visits a designated set infinitely 
often), or one can consider stronger logics like (fragments of) CTL. 

(3) Interesting subcases of Theorem 3.1 should be found where the mentioned blow-up 
of complexity can be avoided. 

(4) The distinction between products which are asynchronous, finitely synchronized, or 
synchronized should be refined, by allowing other means of coordination between 
component structures, also incorporating the special case of synchronization of pa- 
rameterized systems composed from identical components. 
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